Think You Don't Need A VPN? Use One Anyway

When we talk about VPNs, it's often in the context of unsafe situations. Senior Security Analyst Max Eddy argues that these tools are still valuable, even when the risk is low.

I have written about VPNs a lot, and I'll admit that I've started to repeat myself. For example, just about every article I've written on the subject includes a line about using the Wi-Fi at a coffee shop and how it's not safe to do so without a VPN. It might be repetitive, but it's a good way to illustrate the point that you should use a VPN when you're in a potentially unsafe situation.

Here's the thing: I actually think you should use a VPN all the time, no matter if you're at home, at work, or commuting. If you're using the internet, you should have a VPN. And that's not just because I'm paranoid!

Use a VPN When It's Unsafe

There are some very obvious instances when it's a good idea to use a VPN. When you're traveling, for example, you don't have a lot of choices about where you'll get your internet, and a VPN is a necessity.

Coffee shops are the preeminent example, but really any place where you don't control the Wi-Fi network isn't really safe. I'm talking about airports, airplanes, busses with fancy Wi-Fi connections, hotels, AirBnBs, libraries, and anywhere the network isn't directly controlled by someone you personally trust. Wi-Fi networks in public spaces may not be correctly configured, or not be serviced often. That gives attackers ample opportunity to take control of these naturally occurring honeypots and intercept whatever data is moving across the networks.

Of course, there's no reason why a bad guy would need to bother attacking an existing Wi-Fi network. They could simply set up shop nearby and create their own network with a name that closely resembles the real network. Who among us can say that they have never, in desperation, clicked on a shady looking Wi-Fi network?

Use a VPN When You Only Think It's Safe

Ideally, your office is probably one of the safest, best-run networks you'll encounter. At the PCMag labs, our IT guys will tracked me down less than an hour after I connected some unauthorized devices for completely legitimate purposes. Despite, or rather because, of that, you should definitely use a VPN on your personal devices in the office. It's the prerogative of your employer to monitor its networks. That means the company can monitor the traffic from your personal devices if you connect to the company's network.

Many devices will automatically connect to Wi-Fi networks they've seen before. When you take your laptop home, it seamlessly finds and connects to your home network. Unless you periodically prune the list of networks on your device, you probably have a few easily guessable network IDs in there. Boingo runs Wi-Fi networks at many airports across the country, and many of those networks have exactly the same name. All an attacker would have to do is set up a rogue access point with the same name as one of these commonly found networks and devices will quietly connect, sometimes without the owners even realizing it.

A more exotic attack relies on "overly chatty" devices that advertise what networks they're looking for. Instead of having to guess an SSID, the attacker can use a specialized device that pretends to be whatever network a device is looking for. I was shown one such attack in progress at Black Hat. The company that spotted it estimated that the rogue network had fooled some 35,000 devices.

Use a VPN When You're Safe

A solid quarter of PCMag's readers use a VPN to stream video, so it's safe to assume they're using a VPN at home. If they're not, they should be. But that's not the reason why I use a VPN in the comfort of my mist-shrouded Hudson Valley mansion. I do it because I loathe my internet service provider.

There are two halves to my hatred: the first is the generalized anger most people have towards a faceless corporation that milks me for cash on a monthly basis. I'll never have warm and fuzzy feelings toward a company that routinely raises my rates, provides crummy service, and tacks on unnecessary "features" to my bills.

The other (and more relevant) half of my tumor of ire is that, despite all the ways my ISP is already sucking my wallet dry, it's also selling my data. There was a time, not long ago, when ISPs were forbidden from selling anonymized user data, but they wanted a piece of the surveillance capitalism pie that has served Google, Facebook, and sundry ad networks so well for the past decade and a half. Congress gave it to them, and now my data (along with a bunch of other people's) is lumped together and sold off for ad intelligence, or who knows what big data grift.

I'm not a fan of paying for things with my data, but at least in the case of Facebook and Google, their services don't cost anything. I'm already paying my ISP, and the company still feels entitled to make even more money off me. Moreover, I could theoretically do without Google or Facebook but I don't have a lot of choice in my ISP. In fact, some people in the great city of New York have only one broadband provider to choose from.

If that's not a good enough argument for you, consider the lengths that law enforcement and governments have gone to to intercept people's data. From the NSA to your local police, there are plenty of powerful organizations eager to get a peek at what you're doing. Maybe you have nothing to hide, but laws can change and I, for one, would like the people performing domestic surveillance to actually have to work at it.

Keep in mind that even when you're in a situation where the network should be secure, like your home or at work, that's not necessarily the case. Most of us just plug in our Wi-Fi routers and forget about them for the next decade or so. That means the router might be running vulnerable firmware and is ripe for exploitation. Be sure to do the security basics with your home network: change default passwords, enable automatic updates if the option is available, and check on it from time to time.

Use a VPN When It Makes Sense

Security wonks are unfortunately quick to call out even the smallest cut corner in personal security. If there's one thing I hate more than my ISP (and, oh boy, do I hate them), it's security advice that's overly prescriptive and gate-keepery. So if you don't use a VPN all the time, that's okay. The movement toward a more secure, more privacy-focused world is about shaming the bad actors, not normal people doing their best to stay safe in a dangerous world.

Sure, it's ideal to use a VPN all the time, but that's an ideal. Ideals are great for building good habits, but if you stick to them too dogmatically, you'll just wear yourself out. If you can't send an email or watch a movie because the VPN is making trouble, switch it off for a bit, then turn it back on when you can. So use a VPN often, but don't beat yourself up about when it doesn't make sense to use it.

About the Author

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.

Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on Twitter at @wmaxeddy. See Full Bio